sshguard pf

Hasse Hansson hasse at thorshammare.org
Tue Nov 4 11:22:29 UTC 2014 

On Tue, Nov 04, 2014 at 08:34:22AM +0800, Fbsd8 wrote:
> Hasse Hansson wrote:
> > Hello
> > 
> > uname -a
> > FreeBSD ymer.thorshammare.org 10.1-RC3 FreeBSD 10.1-RC3 #0 r273437: Wed Oct 22 01:27:10 UTC 2014 
> > root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
> > 
> > I have a bit problems to get some bots blocked. I'm running pf and sshguard. Even tried fail2ban
> > Below is a snippet from my auth.log showing sshguard blocking som IPs, but nor the bot scans.
> > Both tables abusers and sshguard are empty and allways was.
> > This junk is filling up my logfiles. 
> > Any clues what I'm doing wrong or missing ? 
> > 
> > I'm running two crontabs :
> > # Sshguard
> > 0/1     *       *       *       *       root pfctl -t sshguard -T show >/etc/sshguard 2>/dev/null
> > #
> > # Bruteforce ssh
> > 0/2     *       *       *       *       root pfctl -t abusers -T show >/etc/abusers 2>/dev/null
> > 
> > 
> > In /etc/ssh/sshd_config I've uncommented :
> > Port 22
> > AddressFamily any
> > Protocol 2
> > SyslogFacility AUTH
> > LogLevel INFO
> > 
> > # Authentication:
> > 
> > LoginGraceTime 1m
> > PermitRootLogin no
> > StrictModes yes
> > MaxAuthTries 5
> > MaxSessions 10
> > 
> > PasswordAuthentication no
> > PermitEmptyPasswords no
> > ChallengeResponseAuthentication no
> > 
> > MaxStartups 10:30:100
> > 
> > In my /etc/rc.conf I have :
> > pf_enable="YES"
> > pflog_enable="YES"
> > pflog_logfile="/var/log/pflog"
> > sshguard_enable="YES"
> > sshguard_safety_thresh="30"
> > sshguard_pardon_min_interval="600"
> > sshguard_prescribe_interval="7200"
> > 
> > In /etc/pf.conf :
> > ext_if="fxp0"
> > int_if="xl0"
> > webports="{ http, https }"
> > 
> > table <abusers> counters persist
> > table <sshguard> persist
> > 
> > set skip on lo
> > scrub in
> > 
> > block in
> > pass out
> > 
> > block quick from <abusers> to any
> > block drop in log quick on $ext_if inet from <sshguard> to any
> > 
> > pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 2/120, overload <abusers> flush)
> > 
> > antispoof quick for { lo $ext_if $int_if }
> > 
> > pass in on $ext_if proto tcp to ($ext_if) port ssh
> > pass in log on $ext_if proto tcp to ($ext_if) port smtp
> > pass out log on $ext_if proto tcp from ($ext_if) to port smtp
> > pass in log on $ext_if proto tcp to ($ext_if) port $webports
> > pass out log on $ext_if proto tcp from ($ext_if) to port $webports
> > 
> > pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }
> > 
> > <snip>
> > Nov  2 07:51:13 ymer sshguard[19225]: Blocking 103.27.24.106:4 for >900secs: 30 danger in 3 attacks over 18 seconds (all: 30d in 1 abuses over 18s).
> > Nov  2 10:35:35 ymer sshguard[19225]: Blocking 60.190.71.52:4 for >900secs: 30 danger in 3 attacks over 8 seconds (all: 30d in 1 abuses over 8s).
> > Nov  2 11:09:50 ymer sshguard[19225]: Blocking 122.225.97.105:4 for >900secs: 30 danger in 3 attacks over 65 seconds (all: 30d in 1 abuses over 65s).
> > Nov  2 13:10:52 ymer sshguard[19225]: Blocking 50.30.32.19:4 for >900secs: 30 danger in 3 attacks over 4 seconds (all: 30d in 1 abuses over 4s).
> > Nov  2 14:34:55 ymer sshguard[19225]: Blocking 61.174.51.212:4 for >900secs: 30 danger in 3 attacks over 69 seconds (all: 30d in 1 abuses over 69s).
> > 
> > Nov  2 16:32:09 ymer sshd[42957]: Connection from 202.109.143.110 port 3453 on 192.168.1.2 port 22
> > Nov  2 16:32:13 ymer sshd[42957]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:32:14 ymer sshd[42959]: Connection from 202.109.143.110 port 2838 on 192.168.1.2 port 22
> > Nov  2 16:32:17 ymer sshd[42959]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:32:21 ymer sshd[42961]: Connection from 202.109.143.110 port 3611 on 192.168.1.2 port 22
> > Nov  2 16:32:34 ymer sshd[42961]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:32:41 ymer sshd[42963]: Connection from 202.109.143.110 port 2507 on 192.168.1.2 port 22
> > Nov  2 16:32:48 ymer sshd[42963]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:32:49 ymer sshd[42965]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
> > Nov  2 16:32:52 ymer sshd[42965]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:32:52 ymer sshd[42967]: Connection from 202.109.143.110 port 4650 on 192.168.1.2 port 22
> > Nov  2 16:33:01 ymer sshd[42967]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:33:02 ymer sshd[42983]: Connection from 202.109.143.110 port 4316 on 192.168.1.2 port 22
> > Nov  2 16:33:12 ymer sshd[42983]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:33:18 ymer sshd[42985]: Connection from 202.109.143.110 port 2539 on 192.168.1.2 port 22
> > Nov  2 16:33:27 ymer sshd[42985]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:33:28 ymer sshd[42987]: Connection from 202.109.143.110 port 4555 on 192.168.1.2 port 22
> > Nov  2 16:33:35 ymer sshd[42987]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:33:38 ymer sshd[42989]: Connection from 202.109.143.110 port 3164 on 192.168.1.2 port 22
> > Nov  2 16:33:43 ymer sshd[42989]: Disconnecting: Too many authentication failures for root [preauth]
> > Nov  2 16:33:43 ymer sshd[42991]: Connection from 202.109.143.110 port 4749 on 192.168.1.2 port 22
> > Nov  2 16:33:52 ymer sshd[42991]: fatal: Read from socket failed: Connection reset by peer [preauth]
> > </snip>
> > 
> > Best Regards
> > Hasse.
> 
> You are being attacked by script kiddies and bots, they scan a whole ip 
> address range looking for open port 22 and when its found they start 
> their login attack. Changing ssh to use some other port number will stop 
> this attack all together. I changed ssh to use port '4422' 25 years ago 
> and no attacks since. Another way is to use the port named 'knock' to 
> temporary open port 22 if proceeded by knock
> 
Thank you Fbsd8 for your answer.
I'm aware of changing port for ssh, but I see it as a little bit of "givingup"
Gotta be some rather easy way of just blocking those attacks. Other than blocking
whole of CN and half of Asia. I've tried that too. It stopped the attacks and gave
me some room to think it over.

But I still wonder why sshguard or pf don't block those attacks.
shguard does it job on other probes, but not the root logins. PF doesn't seem
to do much at all.
Probably my settings somewhere, but I can't figure out where.
A wild guess from my side is that sshguard are using hosts.allow instead of pf.
Well, it doesn't do much harm other than cluttering up my logfiles anyway.
I'll se if I have better luck with Ossec-hids.
/hasse

PS.
Checked up on my installation of sshguard. Appearingly I missed the switch pf.
It's now properly installed showing up as "sshguard-pf-1.5_6"

and immediately got a chance to test it. It's working.

root at ymer:/var/log # pfctl -t sshguard -T show
No ALTQ support in kernel
ALTQ related functions disabled
   61.174.51.208
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141104/ad34c1d0/attachment.sig>

More information about the freebsd-questions mailing list